Server-side request forgery (ssrf) in Azure MCP Server allows an authorized attacker to elevate privileges over a network.
How could an attacker exploit this vulnerability? An attacker could exploit this issue by sending specially crafted input to an Azure Model Context Protocol (MCP) Server tool that accepts user‑provided parameters. If the attacker can interact with the MCP‑backed agent, they can submit a malicious URL in place of a normal Azure resource identifier. The MCP Server then sends an outbound request to that URL and, in doing so, may include its managed identity token. This allows the attacker to capture that token without requiring administrative access. What privileges could be gained by an attacker who successfully exploited the vulnerability? A successful attacker could obtain the permissions associated with the MCP Server’s managed identity. This may allow the attacker to access or perform actions on any resources that the managed identity is authorized to reach. The attacker does not gain broader tenant‑level or administrator permissions; only those tied to the compromised managed identity.
<a href="https://www.linkedin.com/in/danielberredo/">Daniel Santos</a> with Microsoft